[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl and structuralObjectClass operational attribute

To: openldap-technical@openldap.org
Subject: Re: syncrepl and structuralObjectClass operational attribute
From: jehan procaccia <jehan.procaccia@it-sudparis.eu>
Date: Mon, 26 Mar 2012 17:29:06 +0200
Cc: Marvin Mundry <marvin.mundry@rrz.uni-hamburg.de>
In-reply-to: <4F6C580D.3000201@it-sudparis.eu>
Organization: IT-SudParis
References: <4F6B64B4.50205@it-sudparis.eu> <CALBygRZy++gAtpzfPuWmLypkyodu4nbF9DQ4idm20kiFAg2Ssw@mail.gmail.com> <4F6C580D.3000201@it-sudparis.eu>
User-agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111115 Thunderbird/8.0

Le 23/03/2012 12:01, jehan procaccia a écrit :

Le 22/03/2012 21:24, Marvin Mundry a écrit :

Mar 22 17:51:20 ldapz2 slapd[24456]: entry failed schema check: no
structuralObjectClass operational attribute
could it be related to the fact that the binddn account cannot read all
attributes from the master ?

sounds like the replication user is not allowed to read the
structuralObjectClass attribute of the object that's userPassword gets
modified.

on the provider try:
ldapsearch -D cn=replicationuser,[...] -w replicationuser-password -b
[...]dc=domain,dc=com cn=user-with-changed-password +

by appending the + symbol you request all structural attributes. if
structuralObjectClass is not returned try adapting your acls.

bests,
Marvin

OK, I tried to search for operational attribute with the replicabinddn from the replica to the master:

ldapsearch -x uid=test -H ldap://master.it-sudparis.eu -Dcn=replic,ou=System,dc=int-evry,dc=fr -W userpassword cn +

result is
# test, People, int-evry.fr
dn: uid=test,ou=People,dc=int-evry,dc=fr
createTimestamp: 20080910055004Z
cn: Jehan TEST
userPassword:: XXXXXXXXXXXXXXXXXXXXXXRcTZYS0ZULi5OXXXXXXXXXXXX
modifyTimestamp: 20120322172339Z

so I did get some operational attributes, but apparently not all !

what kind of ACL do I need to set to allow all operational attributesto that binddn ?


Thanks.

I finaly come to a solution of enumarating all the operationalattributes to be read by the binddn of the replic user:access toattrs=modifyTimestamp,createTimestamp,structuralObjectClass,creatorsName,entryCSN,modifiersName,subschemaSubentry,hasSubordinates

        by self                                                 write
        by dn="cn=admin,dc=int-evry,dc=fr"                      write
        by dn="cn=replic,ou=System,dc=int-evry,dc=fr"       read

but i'am not sure it's the best way to do it !?

moreover, I had an acl rule below that one that allowed read to onlymodifyTimestamp attribute:

access to dn.subtree="ou=Group,ou=System,dc=int-evry,dc=fr"attrs=cn,sn,modifyTimestamp

        by dn="cn=admin,dc=int-evry,dc=fr"                      write
        by dn="cn=replic,ou=System,dc=int-evry,dc=fr"             read

I wonder what happen then for ou=Group,ou=System,dc=int-evry,dc=frsub-objectswill they inherit 1st rules allowing read on all operational attributes,or will it have acces only to modifyTimestamp !?

References:
- syncrepl and structuralObjectClass operational attribute
  - From: Jehan PROCACCIA <Jehan.Procaccia@it-sudparis.eu>
- Re: syncrepl and structuralObjectClass operational attribute
  - From: Marvin Mundry <marvin.mundry@rrz.uni-hamburg.de>
- Re: syncrepl and structuralObjectClass operational attribute
  - From: jehan procaccia <jehan.procaccia@it-sudparis.eu>

Prev by Date: Re: can't modify or add uidNumber attribute
Next by Date: Re: can't modify or add uidNumber attribute
Index(es):
- Chronological
- Thread